feat: Wave 1 — search-first skill, confidence thresholds, version manifest#138
Merged
feat: Wave 1 — search-first skill, confidence thresholds, version manifest#138
Conversation
added 5 commits
March 13, 2026 00:42
New skill enforcing a 4-phase research loop (Need Analysis → Search → Evaluate → Decide) before writing custom utility code. Delegates research to Explore subagent to keep main session context clean. Four decision outcomes: Adopt, Extend, Compose, Build. Added to core-skills plugin and ambient-router BUILD primary skills.
Each review finding now includes a visible confidence score (0-100%). Only findings ≥80% appear in main report sections; 60-79% go to a capped Suggestions section; <60% are dropped entirely. Adds consolidation rules: group similar issues, skip stylistic preferences, skip unchanged code unless CRITICAL. Fixes synthesizer review glob (was *-report.*.md, matched zero files) to *.md with self-exclusion. Adds confidence-aware aggregation with cross-reviewer boosting. Updates Git agent PR comment instructions to only create inline comments for ≥80% confidence findings.
New manifest.json tracks installed version, plugins, scope, and feature flags. Written to devflowDir after successful init. - readManifest/writeManifest/mergeManifestPlugins/detectUpgrade utilities - init.ts: detects upgrade/reinstall via manifest, writes after install - list.ts: shows install status, version, features from manifest - Partial installs merge plugins instead of overwriting - 17 new tests for all manifest operations
dean0x
commented
Mar 13, 2026
| const manifestPath = path.join(devflowDir, 'manifest.json'); | ||
| try { | ||
| const content = await fs.readFile(manifestPath, 'utf-8'); | ||
| const data = JSON.parse(content) as ManifestData; |
Owner
Author
There was a problem hiding this comment.
Manifest Validation Gap (BLOCKING)
The readManifest function validates only 3 fields (version, plugins, scope) but casts the full object via as ManifestData. Missing validation for features object, installedAt, and updatedAt.
Risk: Partial/malformed manifests pass validation but cause runtime crashes in list.ts:41 when accessing manifest.features.teams.
Fix: Add full field validation:
if (
\!data.version ||
\!Array.isArray(data.plugins) ||
\!data.scope ||
typeof data.features \!== "object" ||
data.features === null ||
typeof data.features.teams \!== "boolean" ||
typeof data.features.ambient \!== "boolean" ||
typeof data.features.memory \!== "boolean" ||
\!data.installedAt ||
\!data.updatedAt
) {
return null;
}Or use Zod schema (project convention per CLAUDE.md).
Confidence: 85% | Consolidated: Reported in 5 reviews (security, architecture, consistency, tests, regression)
Claude Code Review
dean0x
commented
Mar 13, 2026
src/cli/commands/init.ts
Outdated
| installedAt: existingManifest?.installedAt ?? now, | ||
| updatedAt: now, | ||
| }; | ||
| await writeManifest(devflowDir, manifestData); |
Owner
Author
There was a problem hiding this comment.
Missing Error Handling for writeManifest (BLOCKING)
The writeManifest() call is not wrapped in try/catch. If the write fails (permissions, disk full), the entire init command crashes after plugins are already installed.
Impact: User sees CLI error despite successful installation, confusion about install state.
Fix: Wrap in try/catch with graceful degradation:
try {
const installedPluginNames = pluginsToInstall.map(pl => pl.name);
const now = new Date().toISOString();
const manifestData = {
version,
plugins: existingManifest && options.plugin
? mergeManifestPlugins(existingManifest.plugins, installedPluginNames)
: installedPluginNames,
scope,
features: { teams: teamsEnabled, ambient: ambientEnabled, memory: memoryEnabled },
installedAt: existingManifest?.installedAt ?? now,
updatedAt: now,
};
await writeManifest(devflowDir, manifestData);
} catch (error) {
p.log.warn(`Could not write manifest: ${error instanceof Error ? error.message : error}`);
}Manifest is a non-critical feature (upgrade tracking only), so write failure should not crash the installer.
Confidence: 82% | Categories: Architecture, Regression
Claude Code Review
Owner
Author
Code Review Summary — Blocking & Should-Fix IssuesBlocking Issues (2 inline comments created above)✅ Manifest Validation Gap (
✅ Missing Error Handling (
Documentation Issues (HIGH - Not in PR diff)
Action: Please update README.md in a follow-up commit to prevent documentation-reality drift. Should-Fix Issues📊 Test Coverage Gaps (HIGH Risk)Missing edge case tests (
Zero test coverage for integration logic (
Confidence: 85-88% | Category: HIGH ⚡ Performance OpportunitySequential I/O in
🎯 Complexity ReductionExtract
Extract manifest helpers from
Summary by Severity
Claude Code Review Assistant |
Add missing [Unreleased] link reference per keep-a-changelog convention. Points to comparison from v1.4.0 (latest release) to HEAD. Co-Authored-By: Claude <noreply@anthropic.com>
- Update total skill count from 30 to 31 and core auto-activating count from 8 to 9 to reflect the addition of search-first - Add search-first row to auto-activating skills table Co-Authored-By: Claude <noreply@anthropic.com>
…ss-refs - Add report template example for grouped/consolidated findings in reviewer.md so agents know how to format N-occurrence issues - Add cross-reference HTML comments in reviewer.md, synthesizer.md, and code-review.md linking the three locations where the 80% confidence threshold is documented, reducing sync drift risk Resolves: batch-6 (B7, S6) Co-Authored-By: Claude <noreply@anthropic.com>
… I/O - Extract formatFeatures, resolveScope, getPluginInstallStatus, and formatPluginCommands as exported pure functions from list.ts handler - Parallelize getGitRoot() and readManifest() with Promise.all since they are independent I/O operations - Add 14 unit tests in list-logic.test.ts covering all extracted functions Co-Authored-By: Claude <noreply@anthropic.com>
…luginList - Wrap writeManifest call in try/catch so a permissions or disk error after a successful install emits a non-fatal warning instead of crashing the CLI - Use resolvePluginList to encapsulate partial-vs-full install merge decision, replacing inline conditional - Add 5 tests for resolvePluginList covering full install, partial install merge, deduplication, and missing manifest edge cases Co-Authored-By: Claude <noreply@anthropic.com>
Add missing test coverage for manifest utilities: - v-prefixed version strings in compareSemver (via detectUpgrade) - Unparseable installed version in detectUpgrade (symmetric case) - mergeManifestPlugins with empty array boundaries Co-Authored-By: Claude <noreply@anthropic.com>
Remove dead mergeManifestPlugins import from init.ts (now called internally by resolvePluginList in manifest.ts) and align resolveScope return type order to 'user' | 'local' matching codebase convention.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Implements the three independent Wave 1 features from the post-v1.0 roadmap (#137):
Search-first skill (Search-First Skill: Research Before Building #111) — New skill enforcing a 4-phase research loop (Need Analysis → Search → Evaluate → Decide) before writing custom utility code. Added to core-skills plugin and ambient-router BUILD primary skills. 31 skills total (was 30).
Reviewer confidence thresholds (Reviewer Confidence Thresholds: Reduce Noise in Code Review Output #113) — Each review finding now includes a visible confidence score (0-100%). Only ≥80% findings appear in main report sections; 60-79% go to a capped Suggestions section. Adds consolidation rules (group similar issues, skip stylistic preferences, skip unchanged code unless CRITICAL). Fixes synthesizer review glob bug that matched zero reviewer files.
Version manifest (Version manifest for upgrade tracking #91) — Tracks installed version, plugins, scope, and feature flags in
manifest.json. Enables upgrade detection duringdevflow initand shows install status indevflow list. Partial installs merge plugins instead of overwriting. 17 new tests.Closes #111, closes #113, closes #91
Test plan
npm run buildpasses — 31 skills, 17 pluginsnpm testpasses — 208 tests (was 191, +17 manifest tests)search-firstskill distributed toplugins/devflow-core-skills/skills/node dist/cli.js listto verify install status display/code-reviewon a test branch to verify confidence percentages and suggestions section